I have a use case where I need to authorize users based on a JWT that by website is passed (from an IFrame). My backend API can support this (create an “auth” endpoint that checks the token, provisions new accounts via the Auth0 management API, and returns an Auth0 JWT). However, I’m wondering if I can accomplish this without all the extra steps.

Ideally, I’d like to still take advantage of Lock by passing the token as a custom field or something, and using a rule to override the authentication? Would something like this work? At the end of the day, I would still like to use Auth0 to manage these users, along with my standard users (using a normal database connection), with minor modifications.

2a) Write some JS for “Create”. Assume that password is the JWT from the iframe and email is some unique ID, verify the JWT using whatever custom JS you want, then potentially look up some extended profile info to attach.

2b) Write some JS for “Login”. Same as above, just verify the JWT.

Use Auth0.js signup method for new users, and pass in the Iframe JWT as the password and the extracted unique user ID as email. This will ensure your users exist. Ignore errors when an user already exists.

Note: This method wouldn’t use the Lock UI for any users from the iframe-partner connection, but would be used for your vanilla email/password users. You’d need some custom UI for your iframe-partners still, but you wouldn’t require any backend server code.